All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, I monitor several VMs and the corresponding database logs with the following stanza:[monitor:///usr/sap/.../HDB02/vhsfh*/trace/DB_*/* The example of the path would be: /usr/sap/NDJ/HDB02/vh... See more...
Hello, I monitor several VMs and the corresponding database logs with the following stanza:[monitor:///usr/sap/.../HDB02/vhsfh*/trace/DB_*/* The example of the path would be: /usr/sap/NDJ/HDB02/vhsfhndjdb01/trace/DB_VU7 Now, I would like to extract during indexing from the above path, which is the field "source" additional default fields that are always there, which would be: SYSTEMDB  (here: NDJ) vhost (here: vhsfhndjdb01) DBSID (here: VU7) The corresponding regex expression, if I would do this in the search is: | rex field=source "\/usr\/sap\/(?P<SYSTEMDB>.+)\/HDB02\/(?P<vhost>.+)\/trace\/DB_(?P<DBSID>.+)$"   But how would I do this in the props.conf and transform.conf to make it permanent and always available as the default fields? I was thinking of the following: props.conf [default] TRUNCATE=0 TRANSFORMS-ExtractKeyFields = fieldextraction ...   transforms.conf [fieldextraction] REGEX field=source "\/usr\/sap\/(?P<SYSTEMDB>.+)\/HDB02\/(?P<vhost>.+)\/trace\/DB_(?P<DBSID>.+)$"   but I am not sure about the syntax in the transforms.conf. Could anyone advice? Also, what I am obviously trying to do is to set additional default fields based on other default field which is "source". Is it possible at all? Would the "source" already exist and be available at that point to create additional fields out of it?   Last, do I need additionally put the fields.conf on my SH?   Kind Regards, Kamil    
I just installed universal forwarder, And was deploying my first app using DS, I came accros few apps in place prior to what I configure on UF. Path: \etc\apps\  Apps found are: introspection... See more...
I just installed universal forwarder, And was deploying my first app using DS, I came accros few apps in place prior to what I configure on UF. Path: \etc\apps\  Apps found are: introspection_generator_addon learned searched splunk_httpinput splunk_internal_metrics SplunkUniversalForwarder   Is any them unnecessary and can I remove?        
I have Linux box as deployment server and windows servers where UF is hosted. I'm able to successfully deploy application from deployment server to UF. However, I'm not able to fetch logs in my inde... See more...
I have Linux box as deployment server and windows servers where UF is hosted. I'm able to successfully deploy application from deployment server to UF. However, I'm not able to fetch logs in my indexer. In deployment server configurations are located at ->  /opt/splunk/etc/deployment-apps/windows_app/default "windows_database" is app name In UF(windows) these conf get downloaded at -> \etc\apps\windows_app\default But I guess these configuration are not been take into effect to monitor logs,don't know why. I copied same configuration (inputs.conf & outputs.conf) and pasted in -> \etc\system\local And was able to fetch every logs as intended. Did I miss out something while trying to implement using deployment server??? Configuration files are : inputs.conf -> [default] [WinEventLog://Security] disabled = 0 index= main [WinEventLog://Application] disabled = 0 index = main [WinEventLog://System] disabled = 0 index = main   Outputs.conf -> [tcpout] defaultGroup=ath_indexers [tcpout:ath_indexers] server=18.185.116.9:9997
hi team  Query 1(panel 1) index=" " Message="*POWERING_ON*" host=" " | rex "(?<VMName>[^\/]+).vmx" | stats latest(host) as host, latest(_time) as time by VMName |eval time= strftime(time,"%d-%m-%Y ... See more...
hi team  Query 1(panel 1) index=" " Message="*POWERING_ON*" host=" " | rex "(?<VMName>[^\/]+).vmx" | stats latest(host) as host, latest(_time) as time by VMName |eval time= strftime(time,"%d-%m-%Y %H:%M:%S")| stats count   query2(panel 2) result=24 index="  " Message="*VM_STATE_POWERING_OFF*" host="  " | rex "(?<VMName>[^\/]+).vmx" | stats latest(host) as host, latest(_time) as time by VMName | eval time= strftime(time,"%d-%m-%Y %H:%M:%S") | append [| search index="  " "ha-datacenter is powered off" host="  " | rex "\s\:\s+(?P<VMName>.+)\son.\s" | stats latest(host) as host, latest(_time) as time by VMName] | eval time= strftime(time,"%d-%m-%Y %H:%M:%S") | dedup VMName | stats count result=10   how i ll comine 2 query and get 1 panel with sum of  24+10=34
I am using a query below which gives me rules field index=myindex| spath "Rules{}" output=rules |mvexpand rules  | table device ip rules | rex field=rules "\:(?<rule_name>[^\,]+)\,(?<rule_result>[^... See more...
I am using a query below which gives me rules field index=myindex| spath "Rules{}" output=rules |mvexpand rules  | table device ip rules | rex field=rules "\:(?<rule_name>[^\,]+)\,(?<rule_result>[^\,]+)" rules field has data like below: {"name": "Abc Def - 123", "result": true} Now i want these two to be spitted into two fields rules_name and rules_result   
Hello, index=myindex| spath "Rules{}" output=rules |mvexpand rules  | table device ip rules Now my rules has data like below: rules {"name": "abc def - 123", "result": true} i want to now make ... See more...
Hello, index=myindex| spath "Rules{}" output=rules |mvexpand rules  | table device ip rules Now my rules has data like below: rules {"name": "abc def - 123", "result": true} i want to now make it into two columns rule_name and rule_result can you please help me with the regex.     
  I have a problem that needs everyone to help me. I am trying to create log from an alert. Please tell me how to separate the relevant fields from the raw data and then map it to that alert log, e... See more...
  I have a problem that needs everyone to help me. I am trying to create log from an alert. Please tell me how to separate the relevant fields from the raw data and then map it to that alert log, e.g. src_ip, servity...  
Hi! This is my first post here so I apologise if the format is flawed. I am a Splunk novice and have been tinkering with different searches to try and achieve my goal. I have two searches which both ... See more...
Hi! This is my first post here so I apologise if the format is flawed. I am a Splunk novice and have been tinkering with different searches to try and achieve my goal. I have two searches which both yield something. The results are similar but not identical and I'd like to understand what the difference is. I'll begin describing the logfiles: Among loads of other data, there is information about different systems and different programs being run. It is structured somthing like this:     Lorem ipsum .. System: ABC (occurs only once) Lorem ipsum .. Starting program: Name (can occur multiple times) Lorem ipsum ..     The objective is to find and count all programs that have been run in the same session as a certain system is present. For example, if the system can be either ABC, DEF or GHI, I want all the program names from the logs where the system was GHI but NOT if it was DEF or ABC. There are field extractions for both the system name and the program name. My searches:     sourcetype=Log "Starting program:" OR "System:" | stats values(Program) as Program values(System) as System by source | where System="GHI" | mvexpand Program | stats count by Program | sort count by Program desc | head 50 sourcetype=Log "Starting program" OR "System:" | transaction source startswith="System: GHI" endswith="Starting program:" | stats values(Program) as Program values(System) as System by source | mvexpand Program | stats count by Program | sort count by Program desc | head 50      As I've stated, these searches seem to yield same-ish results. What is actually happening under the hood here? Also, the number of occurrences of "Starting program" is vastly superior to the "System", so I imagine that the speed could be increased by first finding the logs where the system is "GHI" and then only in those logs perform the program search. Would that be possible? Thanks in advance!
Hi, I have dashboard with several visualizations. Im trying to add 2 date pickers "From", "To" to select date range so that the visualizations query events in that date range input by the user. I'm ... See more...
Hi, I have dashboard with several visualizations. Im trying to add 2 date pickers "From", "To" to select date range so that the visualizations query events in that date range input by the user. I'm not able to use splunk's default "Time" input object because I have to limit users from selecting "From" date to maximum of 3 years from current date.  I have been able to add the date pickers into simplexml as per suggestion in this post https://community.splunk.com/t5/Dashboards-Visualizations/Jquery-datepicker-in-splunk/m-p/361049 The thing which I'm struggling with is to set the min/max attribute of "date" type element on "change" event. To explain this...for example.. if a user selects "From" date as 09/21/2020, then the calendar in "To" date should disable all the dates before this date.. Likewise if user selects  09/21/2020 as "To" date then disable all date selections after this date in "From" date field. Here is the code for dashboard     <dashboard script="datepicker.js"> <label>HTML Date Picker</label> <!-- Dumy Search to set From Date and To Date on load--> <search> <query>| makeresults | eval fromDate=strftime(relative_time(now(),"-1d@d"),"%Y-%m-%d") | eval toDate=strftime(now(),"%Y-%m-%d")</query> <earliest>-1s@s</earliest> <latest>now</latest> <done> <eval token="strMinDate">strftime(relative_time(now(), "-3years"), "%Y-%m-%d")</eval> <eval token="strMaxDate">strftime(now(), "%Y-%m-%d")</eval> </done> </search> <!-- Dumy Search to convert String Time to Epoch Time--> <search> <query>| makeresults | eval earliestTime=strptime("$tokFromDate$","%Y-%m-%d") | eval latestTime=strptime("$tokToDate$","%Y-%m-%d")</query> <earliest>-1s@s</earliest> <latest>now</latest> <done> <set token="tokEarliestTime">$result.earliestTime$</set> <set token="tokLatestTime">$result.latestTime$</set> </done> </search> <row> <panel> <title>Selected String Time - $strMinDate$ - $strMaxDate$</title> <html> <style> .dateContainer { display: flex; } .dateInput { padding-right: 15px; } </style> <div class="dateContainer"> <div class="dateInput"> <div>From Date:</div> <input id="inputFromDate" type="date" min="$strMinDate$" max="$strMaxDate$"/> </div> <div class="dateInput"> <div>To Date:</div> <input id="inputToDate" type="date" min="$strMinDate$" max="$strMaxDate$"/> </div> </div> </html> </panel> </row> <row> <panel> <title>Converted Epoch Time - $tokFromDate$ $tokToDate$</title> <chart> <title>Splunkd errors timechart by top 5 components</title> <search> <query>index=_internal sourcetype="splunkd" log_level!="INFO" component="*" | timechart count by component limit=5 usenull=f useother=f </query> <earliest>$tokEarliestTime$</earliest> <latest>$tokLatestTime$</latest> </search> <option name="charting.axisTitleX.text">Time</option> <option name="charting.axisTitleY.text">Count</option> <option name="charting.chart.stackMode">stacked</option> </chart> </panel> </row> </dashboard>   Below is the javascript   require([ "jquery", "splunkjs/mvc", "splunkjs/mvc/simplexml/ready!" ], function($, mvc) { var submittedTokenModel = mvc.Components.get("submitted"); var defaultTokenModel = mvc.Components.get("default"); // On change of html date input inputFromDate, update the token tokFromDate in default and submitted model $(document).on("change", "#inputFromDate", function() { var dateText = $("#inputFromDate").val(); defaultTokenModel.set("tokFromDate", dateText); submittedTokenModel.set("tokFromDate", dateText); //update the min value of "To" date field to selected "From" date if (dateText) $("#inputToDate").attr('min', dateText); }); // On change of html date input inputToDate, update the token tokToDate in default and submitted model $(document).on("change", "#inputToDate", function() { var dateText = $("#inputToDate").val(); defaultTokenModel.set("tokToDate", dateText); submittedTokenModel.set("tokToDate", dateText); //update the max value of "From" date field to selected "To" date if (dateText) $("#inputFromDate").attr('max', dateText); }); });   I'm using Splunk version Version:7.3.3 Build -7af3758d0d5e Could any one suggest what am I doing wrong? Any help would be much appreciated  
I find these in splunkd.log and the inputs.conf doesn't seem to be working   INFO ViewstateReaper - Failed to reap viewstate flashtimeline:fwkfntuv (user: nobody, app:xxx, root: xxxxxxxxx\SplunkUni... See more...
I find these in splunkd.log and the inputs.conf doesn't seem to be working   INFO ViewstateReaper - Failed to reap viewstate flashtimeline:fwkfntuv (user: nobody, app:xxx, root: xxxxxxxxx\SplunkUniversalForwarder\etc): Not removable: /nobody/xxxxxx/viewstates/flashtimeline:fwkfntuv INFO ViewstateReaper - Failed to reap viewstate *:fwkg4tq9 (user: nobody, app:XXXXX, root:XXXXXXX\SplunkUniversalForwarder\etc): Not removable: /nobody/XXXXXX/viewstates/*:fwkg4tq9    
Hi, I have two Check Box.When i check those checkboxes respective panels will display. Ex:  A B When i check A check box panel 1 is displayed. When i check B check box panel 2 is displayed. wh... See more...
Hi, I have two Check Box.When i check those checkboxes respective panels will display. Ex:  A B When i check A check box panel 1 is displayed. When i check B check box panel 2 is displayed. when i check both A & B both panel 1 and panel 2 are displayed. Now when i uncheck both A & B i should display a message as "Check any one check box to show result" How can i do this? Please do suggest. Thank you! Cheers!
Hi All,  Which app can be used to measure pageloadtime, serverconnectiontime, pageuploadtime and ServerResponseTime for a webpage?  Splunk app for Web analytics seems to be a good match but not sur... See more...
Hi All,  Which app can be used to measure pageloadtime, serverconnectiontime, pageuploadtime and ServerResponseTime for a webpage?  Splunk app for Web analytics seems to be a good match but not sure whether it can give the above details. Has anyone used any app to get the above details into Splunk?   Thanks Arjit    
I want to configure alerts in Splunk using REST API. How can I achieve that? I want to send email notifications for the alerts using REST API. Any help would be appreciated. Thanks
Hi all, I have a problem creating a time chart based on calculations of 2 values from different source-type. Let me put this below: Source type A: It stores all customers in certain service, and ea... See more...
Hi all, I have a problem creating a time chart based on calculations of 2 values from different source-type. Let me put this below: Source type A: It stores all customers in certain service, and each of the customer will be given an unique indicator call bsn. Each of the entry was given with a same _time, i.e. 2020-08-01 00:00. The # of rows could represent # of customer in August, say it is num2. Source type B: It stores all the maintenance order received from the pool of customers in source-type A. In general, i will need to count # of customer in specific requirement (which say he is male) has put an order in august. For this number, it is num1   So the idea is want to create a time chart, to show the order rate (num1/num2) by each month accordingly.  However as it involves different source type, while their _time is quite different from one another. I got problem on solving this. Please help
Do I understand correctly that NULL is neither equal (==) nor not equal (!=) to any value?  I know about isnull() function, but was under (apparently wrong) impression that NULL is  not equal to e... See more...
Do I understand correctly that NULL is neither equal (==) nor not equal (!=) to any value?  I know about isnull() function, but was under (apparently wrong) impression that NULL is  not equal to everything else. Illustration: | makeresults | eval N=null | eval i1=if(isnull(N), "N", "Y") | eval i2=if(N != "Y", "N", "Y")   Result: i1 i2 N Y   Is it fully documented?  
I am trying to install Splunk Universal forwarder using CLI Install process. But, it doesn’t seem to install the software. Below is the command line I am using to install:   msiexec.exe /i splunkfo... See more...
I am trying to install Splunk Universal forwarder using CLI Install process. But, it doesn’t seem to install the software. Below is the command line I am using to install:   msiexec.exe /i splunkforwarder-8.0.2.1-f002026bad55-x64-release.msi /l*v install_splunkforwarder-x64-release.msi.log SPLUNKUSERNAME="username" SPLUNKPASSWORD="password" AGREETOLICENSE=Yes RECEIVING_INDEXER="SOME_INDEXER:PORT" WINEVENTLOG_APP_ENABLE=1 WINEVENTLOG_SEC_ENABLE=1 WINEVENTLOG_SYS_ENABLE=1 WINEVENTLOG_FWD_ENABLE=1 WINEVENT_SET_ENABLE=1 /quiet     Let me know if there is anything wrong with the script. Log indicates that the install is successful, but I dont see the software installed. 
I have an issue that honestly may not be possible using splunk but I wanted to reach out for some advice because you guys on here have been awesome in helping me with search issues in the past. we ... See more...
I have an issue that honestly may not be possible using splunk but I wanted to reach out for some advice because you guys on here have been awesome in helping me with search issues in the past. we have an On Prem CA (Certificate Authority) Server which is currently using a powershell script to send email alerts when certificates are close to expiring and that PS Script is doing this using an internal Unauthenticated Relay. we are eliminating Unauthenticated relay from our network and we also prefer not to have a PS Script running on our DC with CA. I have been tasked with seeing if we can use splunk instead to send an alert. Windows does log events related to certificates. those events are located in Windows Event Logs in the location below: Applications and Services Logs\Microsoft\Windows\CertificateServicesClient-Lifecycle-System I have managed to add those logs to my inputs.conf for my Splunk_TA_Windows app and I have successfully searched for those event logs and they appear okay. unfortunately the logs I get only show me the event message which tells you the certificate is going to expire. the specifics about which certificate and its information are contained in those events on the "Details" tab when viewing them in the windows event monitor but that data is not included in the log data I am getting in splunk. I next tried to add the RenderXml = true statement  that did update the data in the logs but it is mostly jibberish and I still cannot see or find the certificate information we need. here is an example my splunk search host="myhost" EventCode=1003 OR SourceName="Microsoft-Windows-CertificateServicesClient-Lifecycle-System" | table Message here is what the search displays with my inputs.conf set with RenderXml = true The Software Protection service has completed licensing status check. Application Id=55c92734-d682-4d71-983e-d6ec3f16059f Licensing Status= 1: b3ca044e-a358-4d68-9883-aaa2941aca99, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 257868)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )] here is what it displays with my inputs.conf set with RenderXml = false A certificate is about to expire. Please refer to the "Details" section for more information.   and here is what the actual event is in windows event viewer under the General & the Details tabs General tab A certificate is about to expire. Please refer to the "Details" section for more information. Details - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System>   <Provider Name="Microsoft-Windows-CertificateServicesClient-Lifecycle-System" Guid="{bc0669e1-a10d-4a78-834e-1ca3c806c93b}" />   <EventID>1003</EventID>   <Version>0</Version>   <Level>3</Level>   <Task>0</Task>   <Opcode>0</Opcode>   <Keywords>0x8000000000000000</Keywords>   <TimeCreated SystemTime="2018-12-27T11:15:51.381679900Z" />   <EventRecordID>860</EventRecordID>   <Correlation />   <Execution ProcessID="3224" ThreadID="5160" />   <Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational</Channel>   <Computer>mycaserver.ad.mydomain.com</Computer>   <Security UserID="S-1-5-18" />   </System> - <UserData> - <CertNotificationData ProcessName="taskhost.exe" AccountName="MYDOMAIN\MYCASERVER$" Context="Machine"> - <CertificateDetails Thumbprint="3c970c5b2cf467189c64cd38a8b5c28d4615b1f7"> - <SubjectNames>   <SubjectName>C=US, S=MyState, L=My City, O="My Org, Inc.", CN=myCAServer.ad.mydomain.com</SubjectName>   <SubjectName>cbiad2.ad.clickbond.com</SubjectName>   <SubjectName>ad.mydomain.com</SubjectName>   <SubjectName>auth.ad.mydomain.com</SubjectName>   </SubjectNames> - <EKUs>   <EKU Name="Server Authentication" OID="1.3.6.1.5.5.7.3.1" />   <EKU Name="Client Authentication" OID="1.3.6.1.5.5.7.3.2" />   </EKUs>   <NotValidAfter>2019-01-04T12:00:00Z</NotValidAfter>   </CertificateDetails>   </CertNotificationData>   </UserData>   </Event> my goal is to create a search that can be used to alert us when one of these events triggers as well as include pertinent information to identify which certificate is expiring and when. if nobody can help with this I totally understand as I am starting to feel like what we are wanting to do is just not possible with these events and splunk.
So we have created a Splunk dashboard that everyone loves, it has 11 panels on it each using the time range and other variables from the time picker and drop downs that we have also included on this ... See more...
So we have created a Splunk dashboard that everyone loves, it has 11 panels on it each using the time range and other variables from the time picker and drop downs that we have also included on this "incredible" dashboard. Now the boss wants a pdf delivered each week. Is there any easy way to convert a form style dashboard to a fixed  "dashboard" style so that it can be scheduled to search/render and email a pdf file to interested parties?  (like to the boss and business analysts)  We would really just like to lock down the values in the fieldset section and continue to use the existing tokens of the existing dashboard change it from a form to a dashboard.      The alternative seems to be to edit the N number of searches and panels which is messy, tedious, and prone to error.  BTW, this could be a great new feature for Splunk.   (Maybe it already is and I just don't know about it). Thanks for reading and I look forward to any pointers.   
Hi all, I'm trying to compare list of apps by server with a list of apps in lookup to find if its installed or not. I tried Join and append, its not working. Please advise. |inputlookup app_list.csv... See more...
Hi all, I'm trying to compare list of apps by server with a list of apps in lookup to find if its installed or not. I tried Join and append, its not working. Please advise. |inputlookup app_list.csv| table app_name index=test | table system app_name | stats values(app_name) by system| append [|inputlookup app_list.csv| table app_name  
I have a dashboard that utilizes several different data sources (VPN, Windows, Netflow, etc) and creates a "narrative" of what the user did while logged on by adding new fields with descriptive messa... See more...
I have a dashboard that utilizes several different data sources (VPN, Windows, Netflow, etc) and creates a "narrative" of what the user did while logged on by adding new fields with descriptive messages that I then display in a time sorted table to the user. What I would like to do is simple, but I can't figure out how to do.  I would like to bold just certain text in the message field to draw the viewers eye to the important parts of the message. Example: tstamp type plugin msg 2020-09-23 12:18:30 INFO VPN VPN Session started for user quickbrownfox using assigned IP192.168.1.1 and external IP 10.1.1.1 on VPN node FARMERBROWNVPN1 with tunnel group farmtunnel. 2020-09-23 12:19:52 INFO Windows Successful windows login as user QUICKBROWNFOX on domain FARM from workstation WIN-FOX01.     I've tried embedded bold tags with &lt;B&gt; as well as CDATA variant and it doesn't bold the text.  It just comes through escaped.